[ISN] GAO: Feds miss mark on security reporting

InfoSec News isn at c4i.org
Tue Jun 14 12:48:42 EDT 2005 

http://www.fcw.com/article89234-06-13-05-Web

By Florence Olsen
June. 13, 2005 

Federal agencies need more detailed instructions to handle and report 
computer security threats, such as phishing, spyware and hacking, 
government auditors said in a report released today. 

Government Accountability Office auditors have found that most federal 
officials do not understand which computer security incidents they 
should report or how and to whom they should report them, even though 
such reporting is mandatory under the Federal Information Security 
Management Act.

As a result, the Homeland Security Department's U.S. Computer 
Emergency Readiness Team, which handles incident reporting, is unable 
to coordinate and respond to cyberthreats that target multiple federal 
agencies. 

To remedy the lack of accurate and comprehensive reporting, the 
auditors recommended that Office of Management and Budget officials 
increase their oversight of agencies' efforts to detect, report and 
respond to emerging cybersecurity threats. 

The report identifies the perpetrators of such threats as hackers, 
insiders, phishers, spammers and botnet operators. Botnet operators 
control computers infected with "bot" viruses, which the operators use 
in denial-of-service attacks against targeted Web sites.

The auditors also asked OMB officials, in coordination with DHS 
cybersecurity experts and the U.S. attorney general, to develop 
governmentwide guidelines on how to deal with such threats and how to 
report them to DHS and law enforcement agencies.

In their response to the report, OMB officials agreed to expand their 
FISMA reporting requirements to include agencies' response to emerging 
threats. They also plan to issue a document this summer that will 
define computer incident terms and clarify the roles and 
responsibilities of federal agencies for reporting computer security 
incidents.

The additional guidelines are needed, the auditors said, because most 
agencies have not fully addressed the risks of new cybersecurity 
threats as part of their agencywide information security programs.

More information about the ISN mailing list